Go back to All Blog posts

DNS Server Hijacking Explained: Examples & Mitigation

Nethanel Gelernter
June 6th, 2024

What is the digital supply chain, and why is it risky?

The digital supply chain refers to the chain of third-party digital tools, services and infrastructure that a company depends on for a particular first-party service (such as their website or SaaS platform). In an ever-changing digital landscape, supply chains can be brittle with many unseen risks.

The nature of supply chain risk is transitive; any part of the often long and complicated digital supply chain can be compromised, causing all components downstream of it to also be compromised. This means the whole system is only as secure as its weakest link.

Some examples of significant digital supply risks are web skimming, asset hijacking, mail hijacking and nameserver hijacking. In this article we will go into the details of nameserver hijacking and how compromised DNS servers can be abused to manipulate organizational assets.

What is nameserver hijacking?

Nameserver hijacking is the taking over of servers or services that are responsible for DNS (Domain Name Service) records. DNS resolution is a key part of any online interaction, from secure web browsing to sending emails, hence the hijacking of domains can lead to downstream impact to many different services.

Examples of nameserver hijacking

Registrar account hijacking

Most of the time, organizations use a third party domain registrar to manage their DNS records. The trouble begins when credentials to login to the domain registrar is compromised; if the attacker can gain access to modify domain records, they can do a lot of damage.

When the attacker gains access to the registrar account, they can typically perform the following actions:

  • Add, remove or modify DNS records, which allows them to:
    • Spin up new websites or take down existing ones
    • Redirect website to another server
    • Change MX record and intercept emails
    • Change TXT SPF records to allow them to spoof emails
    • Validate new certificates
  • Read and edit domain contact information
  • (Potentially) Transfer domain ownership to another registrar they control

Since DNS is a critical process for pretty much every online interaction, an attacker being able to modify DNS records would be able to compromise many aspects of your organization as well as use the access to attack your customers (such as delivering malicious updates as part of a supply chain attack).

Domain squatting 

When a domain expires, the original registrar might no longer be responsible for it. That means someone else can easily register the same domain.

The practice of domain squatting (or sometimes called cybersquatting) is the act of registering a domain immediately after it expires, to benefit financially from its previous owners in some way either by abusing the existing trademark or up-selling it back to the original owner for a much higher price.

For organizations that are unaware of this attack, it can be the most effective way to hijack a domain without compromising any servers or accounts.

Perfect impersonation: validating new certificates

Secure web browsing over HTTPS also relies on DNS to work. When a HTTPS certificate is issued for your website, the validation challenge process needs to take place to prove that you own the domain that the certificate is being issued for. 

An example attack that’s designed to steal user information without any changes to normal interaction

If an attacker gains control of your DNS settings, they can modify “A” records to point to a new IP on a web server they control; that allows them to prove ownership of the website and gain a new certificate. They can also add a “TXT” record to validate the challenge to do the same thing. After gaining a new trusted certificate, they can impersonate websites using your domain with valid HTTPS, and use that to social engineer users or trick them into giving up information by just proxying to your original servers via an AiTM (Attacker-in-The-Middle attack). The user will see virtually no difference between the old and new website, and nor will your server logs, as they will still contain normal user transactions.

Mitigation: Lock and monitor DNS changes

To prevent domain squatting, most registrars have a “transfer lock” feature that allows you to place a domain in a locked state when it expires, and prevent anyone else from transferring it to another registrar. If this feature is not available, then auto-renewing your domain would also achieve the same effect by not letting it expire.

Since DNS is such an important digital infrastructure, changes to any DNS records should be version controlled with alerts sent to the appropriate people (such as IT and security teams). Domain registrar accounts should always be secured with strong passwords and multi-factor authentication. In the case that a domain is hijacked or transferred to someone else, make sure your organization has plenty of documentation (such as billing records) to prove that you are the rightful owner to ICANN in a dispute.

Conclusion

DNS is an extremely important aspect of the attack surface and its digital supply chain, which is why visibility into any changes in your DNS is paramount. You can leverage attack surface management platforms like IONIX, which takes a proactive approach to identifying and mitigating risks posed by assets vulnerable to hijacking. To see IONIX in action, request a scan today.

REQUEST A THREAT EXPOSURE REPORT TODAY

Discover the full extent of your online exposure so you can protect it.